WHITE PAPER Vormetric and SanDisk : Encryption-at-Rest for Active Data Sets 951 SanDisk Drive, Milpitas, CA 95035 www.sandisk.com
Table of Contents Abstract... 3 Introduction... 3 The Solution... 3 The Advanced Encryption Stan Dard (AES)...3 Intel AES-NI... 4 Vormetric... 4 Fusion IoMemory... 4 Solution Testing... 5 Database Testing...5 File System Testing... 6 Summary... 6 2
Abstract Achieving high performance while maintaining secure systems is an ongoing challenge for today s enterprises. While it is imperative for industry and government to react instantly to new information, protecting this data from adversaries is even more important. Consequently, performance is often sacrificed in favor of security. In this paper we show how a system combining Vormetric encryption and Fusion iomemory products offer unprecedented performance while maintaining security and compliance, including FIPS 140-2 encryption-at-rest requirements. Introduction Both industry and government worldwide are facing ever-increasing requirements to secure data. External compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS), US state data-breach laws, the US HIPAA/HITECH Acts, UK Data Protection Act, and EU Data Protection Directive raise the bar for data security, and carry heavy fines and notification requirements for companies that experience a data breach. In response, business leaders are now imposing internal data security mandates to protect intellectual property and all types of private and confidential data to avoid the brand damage and business losses that can result from a breach of these types of data. One way companies meet internal and external data protection mandates is with encryption. SanDisk is the industry leader in non-volatile memory solutions. SanDisk products offer applications millions of IOPS (Input/Output Operations per Second) and gigabytes of bandwidth in a single server with minimal latency to make systems capable of multi-millions of transactions per second. Its products high-performance is key to both business and intelligence. This is why SanDisk has been deployed in Fortune 100 companies and countless government agencies for years, and has established OEM relationships with every major server manufacturer on the planet. Until now, it has not been possible for a single system to deliver both industry-leading performance and AES encryption. Using Vormetric Encryption VS and Fusion iomemory products, security and performance are no longer at odds. The Solution The Advanced Encryption Standard (AES) One popular encryption standard used by government and enterprises around the world is the Advanced Encryption Standard (AES). AES is an encryption specification adopted by the US government in 2001, superseding the older, less secure 3DES (Data Encryption Standard) with 128-, 192-, and 256-bit key length. AES is the first publicly accessible and open cipher approved by the US National Security Agency (NSA) for top secret information when used in an NSAapproved cryptographic module. For more information on AES, refer to United States government FIPS Publication 1973. For the AES algorithm, Vormetric Encryption supports 128- and 256-bit encryption keys. 3
Intel AES-NI Intel AES-NI (Advanced Encryption Standard New Instructions) is a set of new instructions in the Intel Xeon processor 56xx Series (formerly codenamed Westmere-EP) and more recent Intel processors. Intel AES-NI implements a set of instructions in hardware to compute some steps of the AES algorithm. Encryption performance is significantly improved by moving instructions from software to hardware. The hardware implementation speeds execution of the AES encryption/decryption algorithms and helps to significantly reduce the performance overhead required for encryption. Vormetric Vormetric Data Security is a comprehensive solution for centrally managed key management, encryption, and access control for data at rest across distributed systems. Vormetric Data Security is a proven high-performance encryption and key management solution that transparently deploys on Linux, UNIX, and Windows servers in physical, virtual, and cloud environments. The Vormetric Data Security Manager appliance integrates key management, data security policy management, and event log collection into a centrally managed cluster that provides high availability and scalability to thousands of Vormetric Encryption agents. This enables data security administrators to easily manage standards-based encryption across Linux, UNIX, and Windows operating systems in both centralized and geographically distributed environments. The Vormetric Data Security Manager stores the data security policies, encryption keys, and audit logs in a hardened FIPS 140-2-certified appliance that is physically separated from the hosts. Security teams can enforce strong separation of duties over management of the Vormetric system by requiring the key assignment and policy management to be handled by more than one data security administrator so that no one person has complete control over the security of data. Fusion IoMemory Fusion iomemory products use VSL (Virtual Storage Layer) software to transform NAND flash into a new tier of non-volatile memory. This new memory tier is nearly as fast as RAM, holds orders-of-magnitude more capacity per server, and has far lower power and cooling costs. iomemory eliminates network, controller, and storage protocols between applications and the flash to offer dramatically lower latencies than hard disk- and SSD-based storage systems. Without this architecture, other solutions can never achieve the same levels of application acceleration and infrastructure consolidation. By combining Fusion iomemory technology with Vormetric Encryption, enterprises can achieve unprecedented performance for encrypted data access. 4
Solution Testing The tests compared the performance of a configured system before and after volumes were encrypted with AES 256 and guarded by the Vormetric agent. Tests were run on an HP ML350P, equipped with Dual Intel Xeon E5-2690 Processors, 64GB of DRAM and two Fusion iomemory iodrive 2 Duo 2.4TB cards. Database Testing Database load was generated with the Swingbench order entry tool, a free load generator and database stress testing tool. Swingbench simulates JDBC (Java Database Connectivity) transactions, similar to a TPC-C benchmark. Swingbench inserts data similar to an order processing system and simulates user queries that include both small transactions and large table joints. The database was configured with both guarded (encrypted) and unguarded (cleartext) configurations for this test. 5
File System Testing IOPS and bandwidth were tested with the SanDisk storage benchmarking tool for both the encrypted and unencrypted volumes. The iodrive2 Duo cards were first configured with mdadm to create a single 2TB volume and formatted with an ext4 file system. Tests were run with 4K and 1MB block sizes. Summary This testing demonstrates that the combination of Fusion iomemory devices and Vormetric Encryption supporting AES-NI technology enables enterprises to secure data while maintaining exceptional performance for both file system and database workloads. This configuration yields higher performance than many expensive disk-based systems have without encryption at rest. Raw file system performance carried higher overhead, up to 63% performance impact on IOPS. However, at 139,244 IOPS, it still delivered the performance of nearly 700 hard disks. In database benchmarking, the tests that illustrate how storage affects application performance, the ultra-low latency SanDisk architecture delivered much higher performance than the raw flash file system tests. Vormetric introduced under 2% overhead for database inserts and under 8% overhead to total transactions per minute. This testing shows that security can be guaranteed while still achieving high levels of performance. FOR MORE INFORMATION Contact a SanDisk representative, 1-800-578-6007 or fusion-sales@sandisk.com The performance results discussed herein are based on testing and use of the described products. Results and performance may vary according to configurations and systems, including drive capacity, system architecture and applications. 2014 SanDisk Corporation. All rights reserved. SanDisk is a trademark of SanDisk Corporation, registered in the United States and other countries. Fusion iomemory, iodrive, VSL and others are trademarks of SanDisk Enterprise IP LLC. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). 6